When a financial director at a privately held New York company received a friend request from an attractive blonde on Facebook, the recent divorcé eagerly accepted it. As they chatted over the course of a few days, his new friend mentioned the possibility of visiting him for New Year’s Eve and asked a few innocuous questions about his business, such as how much revenue his company had. He told her he couldn’t disclose that information, but a few days later, having grown more comfortable with her, he admitted that the figure was $6.5 million.

The curious stranger wasn’t a ­single-looking-to-mingle. "She" was a (male) security consultant for a company called Cyberoam in Bangalore, India, that is finding out how easy it is to exploit social media for ­corporate espionage. The loose-lipped director’s New York firm was one of 20 companies that Cyberoam targeted over a six-month period, stalking ­employees on Twitter, LinkedIn and Facebook to find leaks of sensitive ­information. The Cyberoam spies were able to predict a bankruptcy filing for a ­Singapore company, based on employees’ tweets about the company’s ­belt-tightening measures and its vice president of ­operations announcing on LinkedIn that he was job-searching.

“Employees are sharing information that can be used in very different ways than they intended,” says Cyberoam Vice President Abhilash Sonwane, who is not disclosing the names of the companies his firm monitored. “This was not a fact-finding mission. We just wanted to demonstrate to our clients how important it is to have a social media policy in place advising employees about what they shouldn’t be disclosing online.”

August Jackson, a market intelligence analyst at Ernst Young (formerly at Verizon), says he wants his co-workers to talk up their work, just not “specifically what they’re working on today.” But he’s more than happy to take advantage of those making this mistake at other companies. He steadfastly follows competitors’ executives and employees on Twitter and LinkedIn. “And I’m really happy that Google+ recently added a search function,” he adds.

If you’re not monitoring competitors’ activity on social media, you may be missing out on delicious tidbits. While creating a fake profile to friend competitors is generally viewed as unethical—

and potentially illegal—there are many other legitimate sources of information to be mined on the Web.

Sean Campbell and Scott Swigart of Cascade Insights in Oregon City, Ore. conduct competitive intelligence searches in the technology sector. They often come across juicy info on employees’ LinkedIn pages: university students describing product features they worked on during summer internships (that haven’t yet been publicly disclosed); an AT&T sales representative’s boast that he worked with one of the company’s biggest Wi-Fi clients, volunteering that it was Nintendo’s $6 million account. Even senior executives slip up, as when Hewlett-Packard vice president of cloud services Scott McClellan outlined the details for HP’s planned cloud computing platform on his LinkedIn profile—while official reports were still extremely vague. Before he could delete the overshare, the news media picked up on it, and rivals Microsoft and Amazon got the lowdown.

Swigart was asked by a software company to get intelligence on its competitor Cloudera. He posed a few questions on Quora, a techie-heavy Q&A site, where he is clearly identified as a competitive intelligence specialist. To his surprise, one of the first respondents was an engineer from Cloudera eager to talk in detail about the projects he was working on. “I understand the impulse. He was trying to be active on social media and engage with the community there,” said Swigart. Unfortunately, it’s easy to forget that some may not have your best interests at heart.

Phil Britton, a senior manager of competitive intelligence at Best Buy, frowns upon the practice of spoofing another’s identity. “The same ethics apply online as offline. I wouldn’t walk into a competitor’s store and lie about who I work for. People shouldn’t create false fronts online.”

But people do. Last year Thomas Ryan, a consultant at Provide Security, invented a female white-hat hacker named Robin Sage, giving her accounts on Facebook, Twitter and LinkedIn. He fabricated an impressive résumé for her, including an MIT graduate degree and stints at several intelligence agencies, and grabbed photos of a ­Lisbeth Salander-type from a pornography site after a Google image search for “Goth girl.”